HBS Helps Software Firm Answer Customers’ Cybersecurity Requirements

SOC 2® Just Became Mandatory

One client call can turn a cybersecurity “nice to have” into a “must-have.” For software development company Summit Imaging, that call came from a large university medical center that was considering working with Summit Imaging—but only if it had a SOC 2® report. Knowing they needed a push (and expert insight) to formalize processes they had already started, Summit called on HBS for its SOC 2® work—and found a partner for the long haul. 

Experts in Medical Imaging

Summit Imaging, a 22-year-old company based near Kansas City, Missouri, offers two software applications for endoscopy clinics and other visible light imaging applications in the medical field. 

Summit Imaging’s EndoManager suite covers image capture; physician documentation and reporting; and integrating with electronic medical records (EMR) systems such as Cerner, Epic or Meditech. Summit Imaging’s ScopeCycle program helps organizations manage cleaning protocols for equipment (known as reprocessing). 

Hundreds of Summit Imaging customers in the United States, Canada and Australia range from single-physician clinics to large, multisite healthcare systems. Many of the company’s employees serve as software developers and help desk technicians who frequently log into clients’ environments via VPNs to directly work on issues. 

The Push for Third-Party Verification

While Summit Imaging hasn’t faced specific HIPAA compliance requirements so far (personal healthcare information is all stored on clients’ systems) the company trains it technicians to follow HIPAA guidelines while handling tech support issues inside customers’ systems. “We’re handling PHI, so we’re always very cognizant of security across the board,” says Chief Executive Officer Darren Meyer. 

Driven by that mindset, Summit Imaging had many solid cybersecurity policies in place, but lacked an overarching policy strategy. “From a technical standpoint, they were meeting a lot of the requirements before we started working with them,” HBS virtual CISO Matthew McGill says. “But they had really limited governance and didn’t know how to go about standing up a formal security program.” 

“We had started this process loosely ourselves,” Chief Operating Officer Evan Doss says. “But we quickly learned that professional guidance would be required to get us across the finish line.” 

Pursuing SOC 2®

When that call came in from the university medical center requiring a SOC 2® report, Summit Imaging decided it was time to call in a pro. 

The customers’ requirement wasn’t a surprise. “They weren’t the first to ask for a SOC 2® report,” Darren says. “But they were the first to require it.” As Summit Imaging scaled up to serving larger healthcare organizations, they knew they increasingly faced professional risk managers who would require third-party verification of vendors’ security postures. 

Like many other companies, Summit Imaging recognized three advantages to hiring a company like HBS to help them prepare for a SOC 2® exam rather than going it alone: 

• The process would go faster 
• Summit Imaging wouldn’t have to devote a large share of its internal resources to the process 
• They were almost assured of getting a positive SOC 2® report on the first try with experts guiding their preparation 

Picking a Partner

From the earliest calls, Darren liked HBS’s capabilities and philosophy for the SOC 2® Type 1 process. He liked that the consultants Summit Imaging met during the selection process would actually be doing the work. “We’re a small business, and I wanted to work with another small business,” Darren says. “We could’ve gone with some larger companies, but I was looking for that personalized touch.” 

HBS won Evan over with a clear vision for Summit Imaging's future.